feat: GitHub Actions CI + secure/httponly cookies (PR bugy#812)

## GitHub Actions CI (.github/workflows/ci.yml)
- Replace dead Travis CI with GitHub Actions workflow
- Matrix: Python 3.10, 3.11, 3.12 (fail-fast: false)
- Separate job for frontend tests (Node 20, npm ci)
- Uses pip cache and npm cache for faster runs

## Secure & HttpOnly cookies (upstream PR bugy#812 by @cpadlab)
- Add cookie_secure config option (default: true) in ServerConfig
- Set httponly=True on all session cookies (username, token,
  token_details, client_id_token)
- Respect cookie_secure flag on all set_secure_cookie calls
- Add xsrf_cookie_kwargs: httponly=True, samesite=Lax, secure=cookie_secure
- Fix test mocks: add application.server_config, accept **kwargs in
  set_secure_cookie (test_utils, ip_idenfication_test,
  test_auth_abstract_oauth, server_test)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: 2 people

.github/workflows/ci.yml

@@ -0,0 +1,58 @@
+name: CI
+
+on:
+  push:
+    branches: [ master, stable ]
+  pull_request:
+    branches: [ master, stable ]
+
+jobs:
+  python-tests:
+    name: Python ${{ matrix.python-version }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.10", "3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: pip
+
+      - name: Install dependencies
+        run: |
+          pip install -r requirements.txt
+          pip install ldap3 bcrypt parameterized pytest
+
+      - name: Run unit tests
+        working-directory: src
+        run: pytest tests/ -q --tb=short
+
+  frontend-tests:
+    name: Frontend (Node 20)
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: npm
+          cache-dependency-path: web-src/package-lock.json
+
+      - name: Install dependencies
+        working-directory: web-src
+        run: npm ci
+
+      - name: Run unit tests
+        working-directory: web-src
+        env:
+          NODE_OPTIONS: --openssl-legacy-provider
+        run: npm run test:unit-ci

src/auth/identification.py

@@ -116,7 +116,8 @@ def _read_client_token(self, request_handler):
     def _write_client_token(self, client_id, request_handler):
         expiry_time = date_utils.get_current_millis() + days_to_ms(self.EXPIRES_DAYS)
         new_token = client_id + '&' + str(expiry_time)
-        request_handler.set_secure_cookie(self.COOKIE_KEY, new_token, expires_days=self.EXPIRES_DAYS)
+        server_config = request_handler.application.server_config
+        request_handler.set_secure_cookie(self.COOKIE_KEY, new_token, expires_days=self.EXPIRES_DAYS, secure=server_config.cookie_secure, httponly=True)
 
     def _can_write(self, request_handler):
         return can_write_secure_cookie(request_handler)

src/auth/oauth_token_manager.py

@@ -24,7 +24,8 @@ def update_tokens(self, token_response: OAuthTokenResponse, username, request_ha
         if not self._enabled:
             return
 
-        request_handler.set_secure_cookie('token', token_response.access_token)
+        server_config = request_handler.application.server_config
+        request_handler.set_secure_cookie('token', token_response.access_token, httponly=True, secure=server_config.cookie_secure)
 
         if token_response.should_refresh():
             refresh_token = token_response.refresh_token
@@ -33,7 +34,7 @@ def update_tokens(self, token_response: OAuthTokenResponse, username, request_ha
                 self._refresh_tokens[username] = refresh_token
                 self._schedule_token_refresh(username, refresh_token, token_response.resolve_next_refresh_datetime())
 
-            request_handler.set_secure_cookie('token_details', token_response.serialize_details())
+            request_handler.set_secure_cookie('token_details', token_response.serialize_details(), httponly=True, secure=server_config.cookie_secure)
 
     def can_restore_state(self, request_handler):
         if not self._enabled:

src/auth/tornado_auth.py

@@ -88,7 +88,8 @@ def authenticate(self, request_handler):
 
         LOGGER.info('Authenticated user ' + username)
 
-        request_handler.set_secure_cookie('username', username, expires_days=self.authenticator.auth_expiration_days)
+        server_config = request_handler.application.server_config
+        request_handler.set_secure_cookie('username', username, expires_days=self.authenticator.auth_expiration_days, httponly=True, secure=server_config.cookie_secure)
 
         path = tornado.escape.url_unescape(request_handler.get_argument('next', '/'))
 

src/model/server_conf.py

@@ -43,6 +43,7 @@ def __init__(self) -> None:
         self.user_header_name = None
         self.secret_storage_file = None
         self.xsrf_protection = None
+        self.cookie_secure = True
         # noinspection PyTypeChecker
         self.env_vars: EnvVariables = None
 
@@ -201,6 +202,7 @@ def from_json(conf_path, temp_folder):
 
     security = model_helper.read_dict(json_object, 'security')
 
+    config.cookie_secure = model_helper.read_bool_from_config('cookie_secure', security, default=True)
     config.allowed_users = _prepare_allowed_users(allowed_users, admin_users, user_groups)
     config.alerts_config = json_object.get('alerts')
     config.callbacks_config = json_object.get('callbacks')

src/tests/auth/test_auth_abstract_oauth.py

@@ -157,13 +157,18 @@ def mock_request_handler(code):
 
     handler_mock.get_secure_cookie = lambda cookie: secure_cookies.get(cookie)
 
-    def set_secure_cookie(cookie, value):
+    def set_secure_cookie(cookie, value, **kwargs):
         secure_cookies[cookie] = value.encode('utf-8')
 
     def clear_secure_cookie(cookie):
         if cookie in secure_cookies:
             del secure_cookies[cookie]
 
+    server_config = mock_object()
+    server_config.cookie_secure = False
+
+    handler_mock.application = mock_object()
+    handler_mock.application.server_config = server_config
     handler_mock.set_secure_cookie = set_secure_cookie
     handler_mock.clear_cookie = clear_secure_cookie
 

src/tests/ip_idenfication_test.py

@@ -15,6 +15,8 @@ def mock_request_handler(ip=None, x_forwarded_for=None, x_real_ip=None, saved_to
     handler_mock.application = mock_object()
     handler_mock.application.auth = TornadoAuth(None)
     handler_mock.application.identification = IpBasedIdentification(TrustedIpValidator(['127.0.0.1']), user_header_name)
+    handler_mock.application.server_config = mock_object()
+    handler_mock.application.server_config.cookie_secure = False
 
     handler_mock.request = mock_object()
     handler_mock.request.headers = {}
@@ -38,7 +40,7 @@ def get_secure_cookie(name):
             return values.encode('utf8')
         return None
 
-    def set_secure_cookie(key, value, expires_days=30):
+    def set_secure_cookie(key, value, expires_days=30, **kwargs):
         cookies[key] = value
 
     def clear_cookie(key):

src/tests/test_utils.py

@@ -490,7 +490,7 @@ def get_argument(arg_name, default=None):
             return default
         return arguments.get(arg_name)
 
-    def set_secure_cookie(cookie_name, value):
+    def set_secure_cookie(cookie_name, value, **kwargs):
         cookies[cookie_name] = f'!SECURE!{value}!!!'
 
     def clear_cookie(cookie_name):
@@ -506,10 +506,17 @@ def get_secure_cookie(cookie_name):
 
         return value[8:-3].encode('utf8')
 
+    server_config = mock_object()
+    server_config.cookie_secure = False
+
+    application = mock_object()
+    application.server_config = server_config
+
     request_handler.get_argument = get_argument
     request_handler.set_secure_cookie = set_secure_cookie
     request_handler.get_secure_cookie = get_secure_cookie
     request_handler.clear_cookie = clear_cookie
+    request_handler.application = application
 
     request_handler.request = mock_object()
     request_handler.request.method = method

src/tests/web/server_test.py

@@ -278,6 +278,7 @@ def start_server(self, port, address, *, xsrf_protection=XSRF_PROTECTION_TOKEN):
         config.port = port
         config.address = address
         config.xsrf_protection = xsrf_protection
+        config.cookie_secure = False
         config.max_request_size_mb = 1
 
         authorizer = Authorizer(ANY_USER, ['admin_user'], [], ['admin_user'], EmptyGroupProvider())

src/web/server.py

@@ -864,6 +864,11 @@ def init(server_config: ServerConfig,
         'websocket_ping_timeout': 300,
         'compress_response': True,
         'xsrf_cookies': server_config.xsrf_protection != XSRF_PROTECTION_DISABLED,
+        'xsrf_cookie_kwargs': {
+            'httponly': True,
+            'secure': server_config.cookie_secure,
+            'samesite': 'Lax'
+        },
     }
 
     application = tornado.web.Application(handlers, **settings)